Importance of Erasing Hidden Disk Areas for Meeting Compliance

Privileged access controls, encrypted storage media, and multi-factor authentication might provide a sense of relief about the security of the onsite data storage systems. However, when these systems need upgradation or have reached the end of life then they need to be erased securely, including wiping hidden disk areas. Most often, the risks posed by the data, which is remnant and hidden, are overlooked. NIST SP 800-88 Rev 1, Guidelines for Media Sanitization highlight the risk that residual data fragments can pose to data security, especially on IT assets that leave the premises of the organization.

The purpose of moving the IT assets from the organizational control or owner could vary. It could be a periodic hardware refresh cycle, getting rid of end-of-life IT assets, or donating laptops & desktops to fulfill CSR (Corporate Social Responsibility) obligations. Whatever the case may be, no data-bearing IT asset should leave the organization’s control without complete media sanitization. Partial or incomplete sanitization or leaving data in hidden & remapped sectors can be a cause of data breach as user data or its remnants can reveal sensitive information. Sanitization must also be performed during intra-organization movement of IT assets, such as laptops being repurposed from the R&D division to the accounting department to ensure data security along with adherence to Green IT practices. It, therefore, becomes crucial to choose a data sanitization tool that can access and erase these hidden areas, ensuring data confidentiality.

Where are Hidden Areas in a Drive, and What Data It Contains?

Hidden areas and remapped sectors may contain different types of data like authentication details, deleted data fragments, backup copies, system logs & metadata, and firmware & recovery. Although these hidden areas exist on the disk, they are not accessible by the user, the operating system, the Basic Input/Output System (BIOS), or the Unified Extensible Firmware Interface (UEFI). On ATA (Advanced Technology Attachment) and IDE (Integrated Drive Electronics) drives, these hidden areas are HPA, DCO, or Disk Firmware Area (DFA). In many modern disks, Accessible Max Address (AMA) replaces these hidden zones.

• HPA: Present on Hard Disk Drives (HDDs) and Solid-State Drives (SSDs), this area was introduced by the ATA-4 standard. This reserved disk area stores diagnostic utility functions and also enables the system to boot when the usual boot is not processing as usual. 
• DCO: This provides PC vendors the option to customize the available storage on the disk. By configuring the same number of sectors in diverse-sized drives of different manufacturers, DCO makes it seem to the Operating System (OS) that the drives are of the same size.
• DFA: Any sector on the disk identified by the disk as “bad” or “failed” is assigned a new address. The utility of remapping these unreadable sectors is provided by DFA. Also known as the Service Area, this zone also contains elements that enable advanced disk security.

Why Data in the Hidden Zones Pose Risks?

The hidden areas on a disk are not accessible by standard file system commands, BIOS, Operating System, or even by the user. Specialized ATA commands or tools are required to access the drive’s HPA and DCO.  Users can write data to HPA using these commands and tools, which makes it vulnerable to data leakage. As per the study on Hidden Disk Areas: HPA and DCO published in the International Journal of Digital Evidence, “It is possible to create an HPA that is approximately the same size as the HDD. This means that the HPA, DCO, or the HPA and DCO combined can potentially store large amounts of information, invisible to the investigator and/or the acquisition and analysis tools.”

There are several data recovery & forensic tools like PC-3000 that can retrieve data stored in these hidden zones. Leaving any scope of data recovery is a way of jeopardizing the security of confidential information of your organization.

If an organization claims to have erased data from its IT assets and servers as per the guidelines of NIST or IEEE, then hidden zones must also be erased. This means that erasing HPA, DCO, etc., is critical and cannot be overlooked. Non-compliance with these guidelines can result in incomplete data erasure leading to violation of data protection laws and regulations that mandate complete sanitization.

Methods to Erase HPA and DCO

Most modern drives have hidden areas, but they are usually present on ATA HDDs and SSDs.

As per the media sanitization guidelines of NIST SP 800-88 Rev 1 and IEEE Std 2883-2022, before sanitizing the storage media, the configuration capability of any disk preventing access to HPA, DCO, and AMA should be reset. It is also recommended to check if the data sanitization has been successful with the help of a verification tool.

The Sanitization technique, NIST Clear, removes data from user-addressable areas only; NIST notifies about the chances of remnant data being left behind on the disk. IEEE, on the other hand recommends against using the IEEE-Clear sanitization technique for highly sensitive data as for sanitizing non-addressable locations, Clear is not recommended. Purge is the recommended data sanitization method for erasing data from the entire storage media, including erasing HPA and DCO.

Using the NIST Purge techniques, the following options can be used to completely sanitize the storage media, including its hidden and remapped sectors.

For HDDs, there are four options:

• One of the following ATA Sanitize Device features can be applied depending on the availability:
  • Overwrite EXT command
  • Cryptographic Erase (CRYPTO SCRAMBLE EXT)

• SECURE ERASE UNIT Command
• Cryptographic Erase through Trusted Computing Group (TCG) Opal Security Subsystem Class (SSC) or Enterprise SSC

For SSDs, there are three options:

• One of the following Sanitize commands can be applied depending on the support available:
  • Block Erase Command
  • Cryptographic Erase (CRYPTO SCRAMBLE EXT)
• Cryptographic Erase through TCG SSC or Enterprise SSC

Using the IEEE Purge technique, one of the following functions can be performed to completely sanitize ATA devices:

• Cryptographic Erase
• Sanitize Block Erase
• Sanitize Overwrite
• SECURITY ERASE UNIT (Enhanced Erase Mode)

Executing these techniques through the OEM-provided methods would require advanced technical knowledge. Manually performing them on each device that needs to be wiped is also not feasible, as it would be too time-consuming and would require more resources, making it unsuitable for bulk wiping. Therefore, organizations should use certified and tested software like BitRaser Drive Eraser that supports complete media sanitization of drives including hidden disk areas. The software uses sanitization methods like NIST 800-88 Clear and Purge to completely erase data, including from the hidden zones (HPAs, DCOs, DFAs) and remapped sectors. Further, BitRaser Drive Verifier software can be used to verify the outcome of the erasure process and ensure no data traces are left behind.